[Samba] Samba LDAP rootpw error
Gary Dale
garydale at torfree.net
Sat Mar 25 22:13:39 GMT 2006
Matt Richards wrote:
>>Matt Richards wrote:
>>
>>
>>
>>>>I was following the howto below (originally posted on this list as BIG
>>>>Samba howto for debian only.) to see if I could get my not-quite-working
>>>>Samba 3.0.14a (debian) server fully working and able to handle my Linux
>>>>logins too. The problem I'm having with my Samba setup is that I can't
>>>>change user passwords except through Swat. Users can't change them from
>>>>their machines using the Windows password change - but they are notified
>>>>to change them by when they expire.
>>>>
>>>>Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP
>>>>Server configuration". Neither slapindex nor slapd will run. It looks
>>>>like it doesn't like something about my root password, but I'm not sure
>>>>what it wants (I'm no expert on LDAP). :)
>>>>
>>>>Slapindex complains "bad configuration file". Slapd gives the more
>>>>detailed:
>>>> line 65 (rootpw ***)
>>>> /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is
>>>>under suffix
>>>>
>>>>I've attached my slapd.conf file if that is of any assistance. Any help
>>>>will be greatly appreciated.
>>>>
>>>>
>>>>Louis van Belle wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>[..snip..]
>>>
>>>humm well looking at the config file the first thing that i notice is
>>>this
>>>...
>>>
>>># The base of your directory in database #1
>>>suffix "dc=rahim-dale,dc=org"
>>>rootdn "cn=admin,dc=toronto,dc=ontario,dc=ca"
>>>
>>>
>>>your root dn isn't in the base of your ldap tree, this should probuly be
>>>something like ...
>>>
>>>suffix "dc=rahim-dale,dc=org"
>>>rootdn "cn=admin,dc=rahim-dale,dc=org"
>>>
>>>try it n let us know what happens :).
>>>
>>>HTH
>>>
>>>Matt.
>>>
>>>
>>>
>>>
>>>
>>You got it in one! I've got slapd running.
>>
>>Now I'm stuck at "5.4 set the samba ldap admin password". I can set the
>>admin password and get the expected response, but when I try
>>"smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it fails
>>to add the various groups. I get "failed to add entry: modifications
>>require authentication at /usr/sbin/smbldap-populate line 460, <GEN1>
>>line 3." for each ou=<groupname> it tries to add.
>>
>>Any ideas?
>>
>>
>
>the smbldap-populate scripts requires authentication to the ldap server
>there is probuly a problem with the login you have set in smbldap.conf ..
>if you have set any at!
>
>i would recommend looking through the smbldap-tools howto at
>http://samba.idealx.org/smbldap-tools.en.html
>and see if there is anything you have missed out, but the first thing i
>would try is this ..
>
>...
>3 Configuring the smbldap-tools
>As mentioned in the previous section, you'll have to update two
>configuration files. The first (smbldap.conf) allows you to set global
>parameter that are readable by everybody, and the second
>(smbldap_bind.conf) defines two administrative accounts to bind to a slave
>and a master ldap server: this file must thus be readable only by root. A
>script is named configure.pl can help you to set their contents up. It is
>located in the tarball downloaded or in the documentation directory if you
>got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it:
>
>/usr/share/doc/smbldap-tools/configure.pl
>...
>
>note : the smbldap-tools dir might not be located in your /usr/share/doc/
>directory.
>
>if this doesn't work you could attach your smbldap config file (with the
>passwd taken out of cause) so we can have a little look.
>
>Matt.
>
>
>
I can't see anything wrong with my setup but even when I tweak the
settings a little, I get the same result. Here are: smbldap.conf,
smbldap_bind.conf (with passwords removed) and the smb.conf I'm using
for ldap (renamed right now because I'm keeping my old setup available
until I get this working).
One issue is my password does have an apostrophe and a period in it. It
shouldn't be an issue because the bind file has them in quotes. I've
also tried them escaped ("\") but that didn't change anything.
-------------- next part --------------
# Global parameters
[global]
workgroup = RAHIM-DALE
netbios name = SEMPER
#interfaces = 192.168.5.11
username map = /etc/samba/smbusers
enable privileges = yes
server string = %h PDC (Samba %v)
security = user
encrypt passwords = Yes
min passwd length = 5
obey pam restrictions = No
ldap passwd sync = Yes
#unix password sync = Yes
#passwd program = /usr/sbin/smbldap-passwd -u %u
#passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
ldap passwd sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
admin users = garydale, root
hosts allow = 192.168.2.
logon script = scripts\logon.bat
logon path = \\%L\Profiles\%U
logon drive = M:
logon home = \\%L\%U
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
# passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com"
# ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
ldap admin dn = uid=samba,ou=Users,dc=rahim-dale,dc=org
ldap suffix = dc=rahim-dale,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap ssl = start tls
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
#delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
# printers configuration
printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no
[homes]
comment = repertoire de %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = No
[netlogon]
comment = Logon Server Share
path = /home/samba/netlogon
read only = No
browseable = No
[profiles]
path = /home/samba/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U "Domain Admins"
[printers]
comment = Network Printers
printer admin = @"Print Operators"
guest ok = yes
printable = yes
path = /home/spool/
browseable = No
read only = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
[print$]
path = /home/printers
guest ok = No
browseable = Yes
read only = Yes
valid users = @"Print Operators"
write list = @"Print Operators"
create mask = 0664
directory mask = 0775
[public]
comment = Repertoire public
path = /home/public
browseable = Yes
guest ok = Yes
read only = No
directory mask = 0775
create mask = 0664
[archives]
path = /home/shares/archives
write list = +Users, +users
read only = No
create mask = 0770
directory mask = 0770
[communications]
path = /home/shares/communications
read only = No
create mask = 0770
directory mask = 0770
[dosstuff]
path = /home/shares/dosstuff
read only = No
create mask = 0770
directory mask = 0770
[games]
path = /home/shares/games
read only = No
create mask = 0770
directory mask = 0770
[graphics]
path = /home/shares/graphics
read only = No
create mask = 0770
directory mask = 0770
[hardware]
path = /home/shares/hardware
read only = No
create mask = 0770
directory mask = 0770
[install]
path = /home/shares/install
read only = No
create mask = 0770
directory mask = 0770
[office]
path = /home/shares/office
read only = No
create mask = 0770
directory mask = 0770
[tools]
path = /home/shares/tools
read only = No
create mask = 0770
directory mask = 0770
[utility]
path = /home/shares/utility
read only = No
create mask = 0770
directory mask = 0770
[media$]
path = /home/secure/media
valid users = garydale
read only = No
create mask = 0770
directory mask = 0770
[webpages$]
path = /home/secure/webpages
valid users = garydale
read only = No
create mask = 0770
directory mask = 0770
[aleysha]
path = /home/aleysha
[shafeena]
path = /home/shafeena
[garydale]
path = /backup/home/samba/profiles/garydale
-------------- next part --------------
# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
##############################################################################
#
# General Configuration
#
##############################################################################
# Put your own SID
# to obtain this number do: net getlocalsid
SID="S-1-5-21-2876377172-3325382575-3296313911"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Ex: slaveLDAP=127.0.0.1
slaveLDAP="127.0.0.1"
slavePort="389"
# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=rahim-dale,dc=org"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
usersdn="ou=Users,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="sambaDomainName=rahim-dale,${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="$1$%.8s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/nologin"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="99"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Ex: \\My-PDC-netbios-name\homes\%U
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
userSmbHome="\\semper\homes\%U"
# The UNC path to profiles locations (%U username substitution)
# Ex: \\My-PDC-netbios-name\profiles\%U
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
userProfile="\\semper\profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: H: for H:
userHomeDrive="M:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: %U.cmd
# userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.cmd"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
mailDomain="rogers.com"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
-------------- next part --------------
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=admin,dc=family,dc=rahim-family,dc=org"
slavePw="<password>"
masterDN="cn=admin,dc=family,dc=rahim-dale,dc=org"
masterPw="<password>"
More information about the samba
mailing list